Re: [PATCH net] skb_checksum_help: fix out-of-bounds access

Next message: Krzysztof Kozlowski: "Re: [PATCH 1/4] dt-bindings: pwm: sunxi: add PWM controller for Allwinner H616"
Previous message: Abhijit Gangurde: "Re: [PATCH] RDMA/ionic: Replace cpu_to_be64 + le64_to_cpu with swab64"
In reply to: Junrui Luo: "Re: [PATCH net] skb_checksum_help: fix out-of-bounds access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Dumazet

Date: Fri Dec 12 2025 - 03:25:17 EST

On Fri, Dec 12, 2025 at 4:30 AM Junrui Luo <moonafterrain@xxxxxxxxxxx> wrote:
>
> On Wednesday 10 December 2025 09:55:17 PM (+08:00), Willem de Bruijn wrote:
>
> > Junrui Luo wrote:
> > > The skb_checksum_help() function does not validate negative offset
> > > values returned by skb_checksum_start_offset(). This can occur when
> > > __skb_pull() is called on a packet, increasing the headroom while
> > > leaving csum_start unchanged.
> >
> > Do you have a specific example where this happens?
>
> After testing, I found that triggering this condition in practice is
> difficult. In my test cases, normal packet processing does not create
> the conditions where headroom becomes large enough to make the offset
> negative.

I suspect this is virtio fed packet ?

Adding WARN_ONCE(true, "offset (%d) < 0\n", offset) will still trigger
bugs as far as syzbot is concerned.

BTW, the current code following your added code should catch the bug the same,
so your patch makes no difference ?

if (unlikely(offset >= skb_headlen(skb))) {
DO_ONCE_LITE(skb_dump, KERN_ERR, skb, false);
WARN_ONCE(true, "offset (%d) >= skb_headlen() (%u)\n",

Because offset is promoted to "unsigned int", as skb_headlen() is "unsigned int"

Look at commits eeee4b77dc52b ("net: add more debug info in
skb_checksum_help()")
and 26c29961b1424 ("net: refine debug info in skb_checksum_help()")